Gateway: disable_plaintext_auth not working?
-
Hi *!
I wonder if the disable_plaintext_auth setting in Kopano Gateway works.
I have set this to “yes” and restarted the gateway, but I still can login with my username and password without having started a TLS session. Do I misunderstand this setting? What should it do, if not preventing giving credentials over an unencrypted connection?
Proof:
for POP3:
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
USER myusername
+OK Waiting for password
PASS hiddenpassword
+OK Username and password accepted
STAT
+OK 1288 464710878
LIST 1
+OK 1 2909199
QUIT
+OK Byefor IMAP
root@border:~# telnet localhost imap
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.- OK [CAPABILITY IMAP4rev1 LITERAL+ STARTTLS AUTH=PLAIN] IMAP gateway ready
? LOGIN
? BAD LOGIN must have 2 arguments
LOGIN - BAD Command not recognized
? LOGIN myusername hiddenpassword
? NO LOGIN wrong username or password
? LOGIN myusername hiddenpassword
? OK [CAPABILITY IMAP4rev1 LITERAL+ CHILDREN XAOL-OPTION NAMESPACE QUOTA IDLE] LOGIN completed
- OK [CAPABILITY IMAP4rev1 LITERAL+ STARTTLS AUTH=PLAIN] IMAP gateway ready
-
To answer my own question: when looking into the code, this setting works only for connections coming from the outside world:
From GIT: kopanocore/gateway/IMAP.cpp:
if (!lpChannel->UsingSsl()
&& lpChannel->sslctx()
&& plain && strcmp(plain, “yes”) == 0
&& lpChannel->peer_is_local() <= 0) { … }When I set disable_plaintext_auth to yes and connect from the outside world to the gateway, everything works well:
proxy# telnet kopano.gateway.server.net pop3
Trying 1.2.3.4…
Connected to kopano.gateway.server.net.
Escape character is ‘^]’.
+OK POP3 gateway ready
USER myusername
-ERR [AUTH] Plaintext authentication disallowed on non-secure (SSL/TLS) connections
QUITIt’s more a documentation problem than a technical …
